urelas | cfe7edf0b19874c5786156bec7c642b944ab2ee5ebbb2b7201b566e47ae43c59

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a4326e5a55dc80145a1d1257213eed0N.exe
Size

69KB
MD5

0a4326e5a55dc80145a1d1257213eed0
SHA1

8ab73638f976782c7525fc217b80293d7c558566
SHA256

cfe7edf0b19874c5786156bec7c642b944ab2ee5ebbb2b7201b566e47ae43c59
SHA512

8ba0bffca3d7e34b9ea475afd8bf2aeaec3aef4e7cfe4a0e8ba639a0d2d2bb7929ad42122104b6d53222e6a076d7f9b154906576e32ebb9be1e7ab15245b3e4b
SSDEEP

1536:v6fqsAPQYGmPzmZDDZrV8sMQXGkfn33n7z5WeIuhCarawh:yLAYUzmdD0sMQl7d7IuhCae4

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0a4326e5a55dc80145a1d1257213eed0N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	0a4326e5a55dc80145a1d1257213eed0N.exe

Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

4980 biudfw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4980	biudfw.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0a4326e5a55dc80145a1d1257213eed0N.exe

description	pid	process	target process
PID 4196 wrote to memory of 4980	4196	0a4326e5a55dc80145a1d1257213eed0N.exe	biudfw.exe
PID 4196 wrote to memory of 4980	4196	0a4326e5a55dc80145a1d1257213eed0N.exe	biudfw.exe
PID 4196 wrote to memory of 4980	4196	0a4326e5a55dc80145a1d1257213eed0N.exe	biudfw.exe
PID 4196 wrote to memory of 1096	4196	0a4326e5a55dc80145a1d1257213eed0N.exe	cmd.exe
PID 4196 wrote to memory of 1096	4196	0a4326e5a55dc80145a1d1257213eed0N.exe	cmd.exe
PID 4196 wrote to memory of 1096	4196	0a4326e5a55dc80145a1d1257213eed0N.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0a4326e5a55dc80145a1d1257213eed0N.exe
"C:\Users\Admin\AppData\Local\Temp\0a4326e5a55dc80145a1d1257213eed0N.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4196

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
2⤵
- Executes dropped EXE
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
69KB

MD5
7b3b362843b37a84bc56c9b74237e59e

SHA1
9406a319b026a8e858ff45ed65bbce8c33890de1

SHA256
3977b69ec7bbdcb39468974d0879a7e71741c18dcc0a56945a1f827e03424692

SHA512
5825982bbe9ebb8bdc58e08195d6e16a851905d42ac29c6f5224b794ce899746bb526c7a5252c9ecd3d7b703e99ce7c0a64e209237696376c7eca1858fd0deaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1c9b2720af0ca9528b47898d9c7f4799

SHA1
80495f16e333f54ecc700252323c2a7cb7d751e1

SHA256
d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5

SHA512
5afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
5833e8a4d4db808286e828b015fe757e

SHA1
d655f52c28550d0801aa12190435eb1f86629c89

SHA256
93d0225173f9d4a58df83775b6a3c55894df18fe58ac95f20838cff2cc6bcc86

SHA512
4bff04e8c2927e44f3798316a5e6699185a5ba85a22997237f0b1bc6c06f4289a12f277df705a4f0c3684e468e9bbbed6840d958761c8abed38af70fae91612e

Download Submit
memory/4196-0-0x0000000000F30000-0x0000000000F57000-memory.dmp

Filesize
156KB

Download
memory/4196-18-0x0000000000F30000-0x0000000000F57000-memory.dmp

Filesize
156KB

Download
memory/4980-15-0x0000000000370000-0x0000000000397000-memory.dmp

Filesize
156KB

Download
memory/4980-21-0x0000000000370000-0x0000000000397000-memory.dmp

Filesize
156KB

Download
memory/4980-23-0x0000000000370000-0x0000000000397000-memory.dmp

Filesize
156KB

Download
memory/4980-30-0x0000000000370000-0x0000000000397000-memory.dmp

Filesize
156KB

Download